Kerberos

OpenKM Community 6.2.1. hosted on Ubuntu 12.04 within a OpenVZ container

Java version: 1.6.0_27 OpenJDK 64-Bit

when I tried to replicate this setup on 6.2.2 I had to upgrade java version but that one had a problem with handling of 'file:<keytab location>' attribute value, so you'd have to make a minor correction in the kerberos extension files (I'll post a link later if I can find it)

I won't go into details on how to set up Samba4 AD or kerberize a server since there's plenty of documentation vailable, so this config assumes you already have a working AD/Kerberos environment or know how to set up one.

Base DN in AD: DC=fictional,DC=company

Bind user: ldap-lookup, pass 'secret01'

Users are stored in: OU=Employees,DC=fictional,DC=company

Groups are stored in: OU=Groups,DC=fictional,DC=company

AD hostname: ad

OpenKM server hostname: openkm

Keytab is located in /etc/krb5.keytab and has a HTTP/openkm.fictional.company service name.

Before starting the install,create ROLE_USER and ROLE_ADMIN roles in your AD (if that isn't possible you can also use custom roles in your OpenKM config).

At this point you can also decide to use custom default roles, however, this requires setting read permissions on every repository node - this can be done through the interface for every node except Trash folder, for which you will have to manually add an entry into the database.

1) Download and install OpenKM using your prefered method
2) Download the Spring Security Kerberos Extension .jar file and put it into your OpenKM lib folder ( for example, /opt/tomcat/webapps/OpenKM/WEB-INF/lib) spring-security-kerberos-core-1.0.0.CI-SNAPSHOT.jar. Alternatively you can download and compile the file yourself from Spring Security Kerberos (note that this is a newer version which I have not yet tested)
3) Create the keytab for your OpenKM server and make sure it will be readable by tomcat
4) Open OpenKM.xml and comment out the authentication manager, since you will be doing all the changes directly in applicationContext.xml
5) Change the applicationContext.xml

Open up a browser that supports SPNEGO (Firefox) and add the url of your openkm server to trusted urls (open about:config, search for 'network.n' and add 'openkm.fictional.company' in this case to the list of trusted urls)